xz attack: indications of similar attack attempts on three JavaScript projects

The sophisticated attack on the xz tools, which was only averted with a lot of luck, is "probably not an isolated case". There are indications of similar attacks on a total of three JavaScript projects. This has been made public by the Open Source Security Foundation and the OpenJS Foundation, who speak of a series of similar emails and suspicious accounts on GitHub. The two organizations are not disclosing which projects are involved. They are appealing to those responsible for open source projects to be prepared for social engineering attacks, to recognize early warning signs and to take steps to secure their projects.

Similar approach to xz

In one case, which the two organizations summarize, a committee of the OpenJS Foundation was sent an email requesting that "one of the most popular JavaScript projects" be updated and "critical security vulnerabilities" be addressed. No details were provided. Instead, the unknown author demanded to be appointed as the responsible party - even though they had not previously worked on the project. This is strongly reminiscent of the approach taken by "Jia Tan" with the xz tools. Similar attempts had been made with two other projects that were not hosted by the organization. The US cyber security authority CISA has been informed about this.

Although neither organization provided any details, they summarized the suspicious patterns they had identified. For example, one should be particularly careful if a relatively unknown member of a community appears "friendly but aggressive and persistent" to those responsible for a project. It is also treacherous if an unknown person wants to become a maintainer and is supported by other unknown people. In addition, particular care must be taken if source code is intentionally difficult to understand or not readable by humans. Care must also be taken when it comes to allegedly ever-increasing security problems and a false sense of urgency is created.

The organizations write that such attacks exploit the sense of responsibility that those responsible have towards their projects and the community. They advise them to pay attention to their own feelings; if they have self-doubt or feel that they are not doing enough, this could be the result of an attack. They also advise various security measures such as the use of two-factor authentication, a password manager and other practices. Furthermore, best practices should be used for the inclusion of new code and the assignment of rights should be strictly controlled. They also call for significantly more resources and international coordination to support the often small teams.

Attack thwarted in the last few meters

The announcement that there have apparently been attempts to attack several JavaScript projects follows the discovery of a sophisticated attack on the xz tools included in many open source platforms. The attacker "Jia Tan" had done years of preparatory work and, with the help of several accomplices or fake accounts that built up psychological pressure on the main developer, not only gained control over the xz project and installed a backdoor. He also pressured Linux distributions to adopt the versions of the packages he had prepared into their systems as quickly as possible. The attack was discovered on the home straight, so to speak. Otherwise it could have had catastrophic consequences.

(mho)